SQL注入过滤字符的Fuzz脚本测试

Get.php

<!DOCTYPE html>
<html>
<head>
	<title>Sql Waf Test</title>
</head>
<body>
	<div style="text-align:center;">
	<form method="GET" action="">
		<h1>Insert Data</h1>
		<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
		<br><br>
		<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
		<br><br>
		<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
	<?php 
	$black_list="/select|sleep|and|or|union|\"|'|--|#|where|from|limit/i";
	$con = mysqli_connect("127.0.0.1:3306","root","root");
	mysqli_query($con,"create database test");
	mysqli_select_db($con,"test");
	mysqli_query($con,"create table tb_user
		(
		uid int(11) primary key auto_increment not null,
		username varchar(50) not null,
		password varchar(50) not null,
		UNIQUE(username)
		)");
	if(isset($_GET['submit1'])){
    
    
		$username = $_GET['username'];
		$password = md5($_GET['password']);
		if(preg_match($black_list,$username)){
			echo "<h2>Illegal Char<h2>";
		}else{
			if(empty($username) || empty($password)){
				echo "<h2>Username or Password can not be empty</h2>";
			}else{
				$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
				if($insert_sql){
					echo "<h2>Insert Success</h2>";
				}else{
					echo "<h2>Insert Fail</h2>";
				}
			}
		}
	}
 	?>
 	</form>
 	</div>
 	<div style="text-align:center;">
	<form method="GET" action="">
 	<br><br><br><br><br><br><br>
 	<h1>Query Data</h1>
 	<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
 	<br><br>
 	<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
 	<?php 
 	if(isset($_GET['submit2'])){
 		$query_name = $_GET['query'];
 		if(preg_match($black_list,$query_name)){
 			die("<h2>Illegal Char</h2>");
 		}else{
 			if(empty($query_name)){
 				echo "<h2>Query data can not be empty</h2>";
 			}else{
 				$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
 				if($query_data){
 					$sql_data = mysqli_fetch_assoc($query_data);
 					echo "<br><br><br><br>";
 					var_dump($sql_data);
 				}else{
 					echo "<h2>Query Fail</h2>";
 				}
 			}
 		}
 	}
 	?>
 	</form>
 	</div>
</body>
</html>

sql_waf_test.py

import requests

sql_char = ['select',
			'union',
			'and',
			'or',
			'sleep',
			'where',
			'from',
			'limit',
			'group',
			'by',
			'like',
			'prepare',
			'as',
			'if',
			'char',
			'ascii',
			'mid',
			'left',
			'right',
			'substring',
			'handler',
			'updatexml',
			'extractvalue',
			'benchmark',
			'insert',
			'update',
			'all',
			'@',
			'#',
			'^',
			'&',
			'*',
			'\'',
			'"',
			'~',
			'`',
			'(',
			')',
			'--',
			'=',
			'/',
			'\\',
			' ']

for char in sql_char:
	res = requests.get("http://127.0.0.1/get.php?query="+char+"&submit2=sbumit")
	if 'Illegal Char' in res.text:
		print("该字符是非法字符: {0}".format(char))
	else:
		print("通过: {0}".format(char))

PS C:\Users\Administrator\Desktop> python .\sql_waf_test.py
该字符是非法字符: select
该字符是非法字符: union
该字符是非法字符: and
该字符是非法字符: or
该字符是非法字符: sleep
该字符是非法字符: where
该字符是非法字符: from
该字符是非法字符: limit
通过: group
通过: by
通过: like
通过: prepare
通过: as
通过: if
通过: char
通过: ascii
通过: mid
通过: left
通过: right
通过: substring
该字符是非法字符: handler
通过: updatexml
通过: extractvalue
通过: benchmark
通过: insert
通过: update
通过: all
通过: @
通过: #
通过: ^
通过: &
通过: *
该字符是非法字符: '
该字符是非法字符: "
通过: ~
通过: `
通过: (
通过: )
该字符是非法字符: --
通过: =
通过: /
通过: \
通过:

Post.php

<!DOCTYPE html>
<html>
<head>
	<title>Sql Waf Test</title>
</head>
<body>
	<div style="text-align:center;">
	<form method="POST" action="">
		<h1>Insert Data</h1>
		<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
		<br><br>
		<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
		<br><br>
		<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
	<?php 
	$black_list="/select|and|or|union|limit/i";
	$con = mysqli_connect("127.0.0.1:3306","root","root");
	mysqli_query($con,"create database test");
	mysqli_select_db($con,"test");
	mysqli_query($con,"create table tb_user
		(
		uid int(11) primary key auto_increment not null,
		username varchar(50) not null,
		password varchar(50) not null,
		UNIQUE(username)
		)");
	if(isset($_POST['submit1'])){
    
    
		$username = $_POST['username'];
		$password = md5($_POST['password']);
		if(preg_match($black_list,$username)){
    
    
			echo "<h2>Illegal Char<h2>";
		}else{
    
    
			if(empty($username) || empty($password)){
    
    
				echo "<h2>Username or Password can not be empty</h2>";
			}else{
    
    
				$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
				if($insert_sql){
    
    
					echo "<h2>Insert Success</h2>";
				}else{
    
    
					echo "<h2>Insert Fail</h2>";
				}
			}
		}
	}
 	?>
 	</form>
 	</div>
 	<div style="text-align:center;">
	<form method="POST" action="">
 	<br><br><br><br><br><br><br>
 	<h1>Query Data</h1>
 	<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
 	<br><br>
 	<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
 	<?php 
 	if(isset($_POST['submit2'])){
    
    
 		$query_name = $_POST['query'];
 		if(preg_match($black_list,$query_name)){
    
    
 			die("<h2>Illegal Char</h2>");
 		}else{
    
    
 			if(empty($query_name)){
    
    
 				echo "<h2>Query data can not be empty</h2>";
 			}else{
    
    
 				$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
 				if($query_data){
    
    
 					$sql_data = mysqli_fetch_assoc($query_data);
 					echo "<br><br><br><br>";
 					var_dump($sql_data);
 				}else{
    
    
 					echo "<h2>Query Fail</h2>";
 				}
 			}
 		}
 	}
 	?>
 	</form>
 	</div>
</body>
</html>

sql_waf_test.py

import requests

sql_char = ['select',
			'union',
			'and',
			'or',
			'sleep',
			'where',
			'from',
			'limit',
			'group',
			'by',
			'like',
			'prepare',
			'as',
			'if',
			'char',
			'ascii',
			'mid',
			'left',
			'right',
			'substring',
			'handler',
			'updatexml',
			'extractvalue',
			'benchmark',
			'insert',
			'update',
			'all',
			'@',
			'#',
			'^',
			'&',
			'*',
			'\'',
			'"',
			'~',
			'`',
			'(',
			')',
			'--',
			'=',
			'/',
			'\\',
			' ']
url = "http://127.0.0.1/get.php"
header = {
    
    
	'Host':'127.0.0.1',
	'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0',
	'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
	'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
	'Accept-Encoding':'gzip, deflate',
	'Content-Type':'application/x-www-form-urlencoded'
}
for char in sql_char:
	post_data = "query=test"+char+"&submit2=sbumit"
	res = requests.post(url,data=post_data,headers=header)
	if 'Illegal Char' in res.text:
		print("该字符是非法字符: {0}".format(char))
	else:
		print("通过: {0}".format(char))

PS C:\Users\Administrator\Desktop> python .\sql_waf_test.py
该字符是非法字符: select
该字符是非法字符: union
该字符是非法字符: and
该字符是非法字符: or
通过: sleep
通过: where
通过: from
该字符是非法字符: limit
通过: group
通过: by
通过: like
通过: prepare
通过: as
通过: if
通过: char
通过: ascii
通过: mid
通过: left
通过: right
通过: substring
该字符是非法字符: handler
通过: updatexml
通过: extractvalue
通过: benchmark
通过: insert
通过: update
通过: all
通过: @
通过: #
通过: ^
通过: &
通过: *
通过: '
通过: "
通过: ~
通过: `
通过: (
通过: )
通过: --
通过: =
通过: /
通过: \
通过:

SQL注入过滤字符的Fuzz脚本测试

猜你喜欢